diff -Nru menu-cache-1.0.1/debian/changelog menu-cache-1.0.1/debian/changelog --- menu-cache-1.0.1/debian/changelog 2016-01-04 12:31:16.000000000 -0600 +++ menu-cache-1.0.1/debian/changelog 2017-08-09 08:54:28.000000000 -0500 @@ -1,3 +1,11 @@ +menu-cache (1.0.1-1ubuntu0.1) xenial-security; urgency=medium + + * SECURITY UPDATE: Socket may be blocked by another user (LP: #1703564) + - fix-CVE-2017-8933.patch + - CVE-2017-8933 + + -- Simon Quigley Wed, 09 Aug 2017 08:54:28 -0500 + menu-cache (1.0.1-1build1) xenial; urgency=high * No change rebuild for s390x. diff -Nru menu-cache-1.0.1/debian/control menu-cache-1.0.1/debian/control --- menu-cache-1.0.1/debian/control 2015-12-07 06:01:14.000000000 -0600 +++ menu-cache-1.0.1/debian/control 2017-08-09 08:54:28.000000000 -0500 @@ -1,7 +1,8 @@ Source: menu-cache Section: libs Priority: optional -Maintainer: Debian LXDE Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian LXDE Maintainers Uploaders: Andrew Lee (李健秋) , Andriy Grytsenko Build-Depends: diff -Nru menu-cache-1.0.1/debian/patches/fix-CVE-2017-8933.patch menu-cache-1.0.1/debian/patches/fix-CVE-2017-8933.patch --- menu-cache-1.0.1/debian/patches/fix-CVE-2017-8933.patch 1969-12-31 18:00:00.000000000 -0600 +++ menu-cache-1.0.1/debian/patches/fix-CVE-2017-8933.patch 2017-08-09 08:53:40.000000000 -0500 @@ -0,0 +1,63 @@ +Description: Socket may be blocked by another user + Libmenu-cache 1.0.2 uses /tmp for a socket file, allowing a local user to + cause a denial of service (menu unavailability). This fixes the potential + access violation by using runtime user dir instead of tmp dir. + . + Note: it limits libmenu-cache compatibility to menu-cached >= 0.7.0. + . + This fixes CVE-2017-8933. +Author: Andriy Grytsenko +Origin: upstream +Bug: https://sourceforge.net/p/lxde/bugs/863 +Bug-Ubuntu: https://pad.lv/1703564 +Applied-Upstream: 54ab9e45764435634cdf5de360b295ee3a22817a +Last-Update: 2017-08-08 +--- a/libmenu-cache/menu-cache.c ++++ b/libmenu-cache/menu-cache.c +@@ -3,7 +3,7 @@ + * + * Copyright 2008 PCMan + * Copyright 2009 Jürgen Hötzel +- * Copyright 2012-2015 Andriy Grytsenko (LStranger) ++ * Copyright 2012-2017 Andriy Grytsenko (LStranger) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public +@@ -1522,8 +1522,13 @@ static void get_socket_name( char* buf, + if(*p) + *p = '\0'; + } ++#if GLIB_CHECK_VERSION(2, 28, 0) ++ g_snprintf( buf, len, "%s/menu-cached-%s", g_get_user_runtime_dir(), ++ dpy ? dpy : ":0" ); ++#else + g_snprintf( buf, len, "%s/.menu-cached-%s-%s", g_get_tmp_dir(), + dpy ? dpy : ":0", g_get_user_name() ); ++#endif + g_free(dpy); + } + +--- a/menu-cache-daemon/menu-cached.c ++++ b/menu-cache-daemon/menu-cached.c +@@ -446,6 +446,9 @@ static void get_socket_name( char* buf, + if(*p) + *p = '\0'; + } ++ /* NOTE: this socket name is incompatible with versions > 1.0.2, ++ although this function is never used since 0.7.0 but ++ libmenu-cache always requests exact socket name instead */ + g_snprintf( buf, len, "%s/.menu-cached-%s-%s", g_get_tmp_dir(), + dpy ? dpy : ":0", g_get_user_name() ); + g_free(dpy); +--- a/NEWS ++++ b/NEWS +@@ -19,6 +19,9 @@ Changes in 1.0.1 since 1.0.0: + + * Fixed memory corruption in scanning addressed directory. + ++* Fixed potential access violation, use runtime user dir instead of tmp dir. ++ It limits libmenu-cache compatibility to menu-cached >= 0.7.0. ++ + + Changes in 1.0.0 since 0.7.0: + diff -Nru menu-cache-1.0.1/debian/patches/series menu-cache-1.0.1/debian/patches/series --- menu-cache-1.0.1/debian/patches/series 1969-12-31 18:00:00.000000000 -0600 +++ menu-cache-1.0.1/debian/patches/series 2017-08-09 08:53:26.000000000 -0500 @@ -0,0 +1 @@ +fix-CVE-2017-8933.patch